The VPN group policies are extremely flexible. See below for instructions on how to create VPN group policies using client certificate or pre-shared key authentication.
Client-to-Site VPN Using TINA or IPsec IKEv1 and Client Certificate Authentication
Client certificate authentication allows you to authenticate the client by validating the client certificate when the client logs in. You can include matching conditions that evaluate the certificate fields. By default, each user can have only one concurrent client-to-site VPN connection. An Advanced Remote Access subscription is required to enable concurrent client-to-site VPN sessions by the same user.
Client-to-site VPN Using IPsec IKEv1 and Pre-Shared Keys
To let users access a client-to-site IPsec VPN without having to install X.509 certificates on their client devices, you can create an IPsec client-to-site VPN group policy using a pre-shared key (PSK). For users with mobile devices that are not managed by a mobile device management platform (MDM), using a PSK is more convenient than having to install client certificates for authentication.
For more information, see Example - Client-to-Site IKEv1 IPsec VPN with PSK .
Client-to-site VPN using IPsec IKEv2
Use an IPsec IKEv2 client-to-site VPN to let mobile workers connect securely to your firewall with a standard-compliant IKEv2 VPN client.
For more information, see Example - Client-to-Site IKEv2 IPsec VPN.